Technolog: ON THE NET;Today's Willie Suttons mug corporate users, not the little guy from Hackensack.

By Peter H. Lewis

Published: November 13, 1995

DOZENS of electronic merchants are dreaming of a byte Christmas. But is this the year that all the pieces for electronic consumerism will fall into place?

Don't unhitch those reindeer just yet. The merchants point to surveys that show a growing dissatisfaction with surly and poorly trained clerks, with the crowds, the parking headaches and other drawbacks of the retail shopping experience.

More important still, for many people, is the lack of time available for physical shopping. Virtual shopping malls are open all night, and one can shop in robe and pajamas, bathed in the warm glow of a Pentium processor.

But there are many remaining obstacles -- some technical, some psychological. The highest barriers are those needed to assure secure transactions and privacy.

Many people are reluctant to send their credit card information over the Internet, their fears heightened by news accounts of computer bandits vacuuming gigabytes of financial data from computer systems around the world.

The truth is that sending a credit card number to an electronic merchant over the Internet is probably the safest way to make such a transaction.

In the last week, for example, I handed my credit card to a waiter who disappeared with it for five minutes. I faxed my credit card information to a business in New Jersey, and the fax probably lay exposed to everyone in that office for hours and perhaps to the cleaning crew that night.

I called a hotel and gave my card data to a reservations clerk and continued my recklessness by ordering some merchandise from a clothing catalogue, again by reading my credit card information to some unseen operator.

Yes, there is a risk that someone was tapping my telephone when I read my credit card number aloud or faxed it. (A reminder: Never, ever, give a credit card number over a cordless or cellular phone.) A spy might have snapped a picture of my credit card with a hidden camera when I handed it to the waiter. A hacker might have intercepted my numbers as they passed through an Internet router in Hackensack, N.J.

But compared with the risk of handing my credit card to a stranger, which I do nearly every day, sending it over the Internet is pretty secure.

The real risk of sending my unencrypted number is not that some cyberspace cowboy will intercept it en route to the electronic merchant, but rather that the receiving company will store my credit information in an insecure computer. (No, not one racked with doubt about whether its hard disk is big enough, but one that lacks firewall, authentication, authorization and physical protections.)

My credit card number was probably among the 30,000 or so that were lifted last year from unsecured computers of Netcom On-Line Communications Services by any number of hackers, possibly including the notorious Kevin Mitnick. As far as I know, no one has charged a powerful work station or a vacation to the Caymans to my account.

How did Netcom get my credit card number in the first place? I read it to them over the telephone, because they warned me that it was insecure to send it over the Internet. Then they typed it into their computer, which was connected to the Internet, and left a door open.

Willie Sutton did not mug individuals for their wallets; he robbed banks, because, as he noted, that's where the money was. A hacker bright enough to break into an Internet server is also bright enough not to waste time picking isolated Mastercard and Visa numbers from the data stream.

Today's Willie Suttons rob corporate computers, because that's where the data are. The people who should be really nervous about electronic commerce are the banks, brokerage houses and those who do business-to-business transactions.

As an individual, I can shrug off the recent news that two students cracked the security mechanism in World Wide Web servers of Netscape Communications. But if I were a business about to risk my future on electronic commerce based on the Netscape server or any other Web server, I would want to wait a while longer until I was confident that the security issue had been resolved.

It will not be resolved before Christmas.

According to a recent survey by Commerce Net and Nielsen, 2.5 million American and Canadian adults have purchased something over a computer network. There are plenty of places for them to shop.

For example, CyberShop (http:// cybershop.com), in Montclair, N.J., is trying to lure customers with a sweepstakes, in which the winner gets a $25,000 on-line shopping spree for items including fine china, towels and cameras.

A new electronic shopping mall called eShop Plaza, from a company called eShop Inc., allows "virtual 3-D" shopping of Tower Records, (800) Flowers and Spiegel catalogues, among other offerings, for users with the proper Windows software.

The eShop Web site can be found, along with scores of other Internet shopping areas, through the Yahoo directory (http://www.yahoo.com/ BusinessandEconomy/Companies/ShoppingCenters/).

Yet, as David Kline pointed out in a recent opinion article in the on-line magazine Hotwired (http:// www.hotwired.com/market/95/43/ index1a.html), the amount of shopping done on line is dwarfed by the amount done over insecure telephone lines.

"The real reason people aren't buying very much on line yet is that there's nothing much to buy on line that can't be bought more easily or less expensively and with better service in more familiar surroundings," Mr. Kline said.